SOC Report FAQs
What is a SSAE 18 / SOC report?
Standards for Attestation Engagements No. 18 ("SSAE 18") is an attestation standard whereby a service organization's auditor (i.e. CPA firm conducting the engagement) issues an opinion on a service organization's controls and is effective for SOC report opinions dated on or after May 1, 2017 with early adoption permitted. This is delivered in the form of a System and Organization Controls (SOC) report. The report represents that the service organization has been through a thorough examination of relevant control objectives and control activities, which include controls over financial reporting, transaction processing, and information technology. SSAE 18 replaces SSAE No. 16. For additional information on SSAE No. 18 click here.
What are the different SOC reports?
SOC 1 – SOC for Service Organizations: ICFR - The performance and reporting requirements for an examination of controls at a service organization that are likely to be relevant to user entities' internal control over financial reporting.
SOC 2 – SOC for Service Organizations: Trust Services Criteria - The performance and reporting requirement for an examination of controls at a service organization relevant to security.
SOC 3 – SOC for Service Organizations: Trust Service Criteria for General Use Report - The performance and reporting requirements for an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy resulting in general use report.
SOC for Cybersecurity - The performance and reporting requirements for an examination of an entity's cybersecurity risk management program and related controls.
What are the differences between a Type-1 and Type-2 report?
A Type-1 report describes the service organizations controls at a point in time. This report focuses on the design of the controls to achieve the related control objectives. It includes the service auditor's opinion, management's assertion, and the description of the system. A Type -2 report focuses on both the design and operating effectiveness of controls over a period of time of at least six months. It includes all of the information in a Type-1 report with the addition of the service auditor's testing performed for each control.
From an auditor's perspective, only the SOC-1 Type-2 report provides assurance over a service organization's controls relative to its client's financial transactions.
Which organizations need a SOC report?
Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report. Additionally, as a result of various legislative requirements like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.
What determines the pricing of a SOC report?
The pricing of a SOC report is dependent on many factors such as the number and type of controls in place, the complexity of the system and related control environment, etc. A Type-2 report costs more than a Type-1 due to the levels of testing and documentation required.
What is the best way to prepare for a SOC examination?
In nearly all cases, we recommend a readiness assessment before an organization begins a SOC examination for the first time. In a readiness assessment, we will perform a high-level assessment of the in-scope controls and document our findings. This gives the service organization a chance to remediate the gaps before we start the SOC reporting process. Additionally, much of this work can be leveraged for the SOC report.
Do the SOC reports have the auditor's opinion?
A SOC report will contain the auditor's opinion covering the following areas:
- If the service organization's description of controls is presented fairly
- If the service organization's controls are designed effectively
- If the service organization's controls are operating effectively over a specified period of time (Type-2 report only)
If the above items have been achieved by the service organization, the service auditor would issue an 'unqualified' opinion. If the above were achieved but the service auditor found significant exceptions (i.e. such that a control objective was either not in place or was not effective), the service auditor would issue a 'modified opinion'. If, however, the service organization materially failed one or more of the above, the service auditor would issue an “adverse” opinion.
Can I distribute a SOC report for marketing purposes?
No. Only SOC 3 reports can be distributed for marketing purposes.
A SOC 1 report is restricted to specified parties when the criteria used to evaluate or measure the subject matter are available only to specified parties or appropriate only for a limited number of parties who either participated in their establishment, or can be presumed to have an adequate understanding of the criteria. In a service organization engagement, the criteria used are relevant to user entities and their auditors who have an understanding of how the service organization's system, including controls, is used for financial reporting by user entities. Accordingly, the service auditor's report should be restricted to those parties.
A SOC 2 report is restricted to specified parties when the criteria used to evaluate or measure the subject matter are available only to specified parties or appropriate only for a limited number of parties who either participated in their establishment, or can be presumed to have an adequate understanding of the criteria. The intended users of the report include management and other specified parties who understand (1) the nature of the service organization's services, (2) how the service organizations system interacts with user entities, subservice organizations, and others, (3) internal control and its limitations, (4) the applicable trust services criteria, (5) the nature of user entity responsibilities and complementary user entity controls and how they work with the service organization's controls to meet the applicable trust services criteria, and (6) the risks that may threaten meeting the applicable trust services criteria and how controls address those risks. Accordingly, the service auditor's report should be restricted to those parties.
A SOC 3 report, however, ordinarily is a general-use report, which means that management of the service organization may provide the report to anyone.
For additional information on the SOC reporting process, including which report might be appropriate for your organization, please contact Kelly O'Callaghan, CPA, Partner at Kelly.OCallaghan@CohnReznick.com; 973-618-6221 or Remi Franklin, CISA, Director, at Remi.Franklin@CohnReznick.com; 973-364-7737.